Creating a World without Passwords and Beating Social Engineering | Executive Interview with Peter Barker

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong. Creating a World without Passwords and Beating Social Engineering | Executive Interview with Peter Barker Speaker 40: [00:00:00] Today's episode is brought to you by Ping Identity. When healthcare workers are locked out of systems due to password issues MFA delays or authorization glitches, patient care suffers. Ping identity eliminates these roadblocks, giving staff seamless verified and secure access to critical resources while it maintains full control. No more choosing between user experience. Security and compliance healthcare systems using ping identity count, login times and complexity. Increase security and reduce help desk costs while meeting the strictest audit requirements. See how at this week, health.com/ping identity. That's this week. health.com/p ING dash identity. I'm Bill Russell, creator of this Week Health, where our mission is to transform healthcare, one connection at a time. This is an executive interview [00:01:00] quick powerful Conversations with Leaders Driving Change. So let's get started. Bill Russell: All right, today we have an executive interview. Today I'm talking with Peter Barker, the chief product officer for Ping Identity. Peter, I'm looking forward to this conversation. Welcome to the show. Peter Barker: Thanks so much. Yeah, likewise, looking forward to it. Bill Russell: , the world of identity is, is changing pretty rapidly because identity used to mean a person sitting in front of a keyboard or a phone or some aspect, uh, logging in, and, uh, that's changing very rapidly as we speak. So, give us, give us the big picture. Why is identity, uh, suddenly becoming more important in the age of AI and agentic systems, uh, today? Peter Barker: You're totally right that, I mean, the history of identity is really generally focused on human identity with, you know, some exceptions, you know, in the non-human space with things like service accounts and client secrets and other things that maybe workloads would need to access systems. But generally speaking, [00:02:00] it's pretty, it's been pretty human-centric. And AI agents are really changing things pretty dramatically. And if we just think about what the literal definition of an agent is, it's something that's acting on someone's behalf or something's behalf with proper authority and delegation to take those actions. Um, and that means, you know, that has some broad identity implications that are really, really important. Bill Russell: The words that I'm using a lot these days are observability and, and, um, and transparency, right? So if these agents are gonna start acting on our behalf and doing things on our behalf, that's, that's all well and good, and that's fine, and we want that. That's gonna drive a new level of productivity. But they're gonna break just like a human breaks from time to time. And when a human breaks, we, we look into the system, we see, oh yeah, we need to do some training here and that kind of stuff. Um, and we're moving pretty fast on this agentic thing. How do we get that observability and, and transparency [00:03:00] into, uh, what they're doing? Peter Barker: Yeah, definitely agree. Uh, observability, transparency are super important, that auditability that you are referring to. And what makes AI agents so unique that maybe really amplifies those concepts is they are non-deterministic. And what I mean by that is you could give them the same instruction three different times, and maybe you get the same answer or result three different times, but the path it takes to get there might be drastically different. It's kind of like, you know, Google Maps and having different roads to get to your destination. And that variability is super important, especially as you alluded to when- When you need to go figure out what happened and why it happened and did it happen under proper authority and did something bad happen or not, you know, uh, you think about maybe traditional concerns like liability. If somebody's making a claim and you need to reconstruct what happened, that auditability, provability is super important. Bill Russell: You know, Peter, I, I've been thinking about this. I, I remember, I think it was [00:04:00] Mayo was talking about the fact that they were going to give every agent an employee ID. Mm. And I thought, "Wow, that's, that's really interesting." How, how should leaders think about identity for non-human actors? I think, is that the right, right way to say that, or agents? Peter Barker: Yeah, I think, yeah, I think, uh, it's a good way to say it. I mean, non-human refers to a class of obviously inorganic things that interact with our systems. Uh, I think AI agents are the biggest, most predominant example at this stage, but there are, there are some other examples. But to your point, um, assigning or treating AI agents and non-human identities as first class native identities is really important because what you'll end up with if you don't is you might start to, let's say, give these agents access without auditability or maybe, for example, if, just a simple example, if I gave my username and password to an agent and it went and did a bunch of things [00:05:00] that I would normally do on my own, how do you know that it was the agent making those actions versus Bill Russell: myself? Did, did, didn't we see that with OpenClaw essentially? Yes. People were like, "Oh yeah, here's my stuff. Go, go have at it," and- 100%, Peter Barker: yes ... crazy Bill Russell: stories. Peter Barker: Yeah, OpenClaw's very, um, resourceful and creative, and y- you give it a set of tools and it, it really decides... You know, it, it does things, it, it, it definitely does things that maybe the person who the, the human owner didn't want to happen, but in the mind of the OpenClaw agents, it's like, this is totally in bounds because I have the ability to do it. And yeah, that's impersonation, and impersonation is a really dangerous pattern in the world of identity. Just going right back to those things you said earlier around auditability. How do you even know it was the agent that did these things in the first place versus the human? Bill Russell: Well, we, we spent an awful lot of time in, in the history of, of technology, you know, you'd walk up to a shared keyboard and the password would be on the bottom of it, and people would, you know, would all log in [00:06:00] as that same thing. And it didn't take us long to realize like, hey, wait a minute, this is, this, this is a problem. Like, we need to know. And so we eventually, uh, assigned everybody their own network identity, and we don't think twice about that anymore. In fact, we would- The, uh, the other would be abnormal. But in this world of, uh, AI agents, we do see people taking shortcuts and saying, "Well, you know, we're just gonna give it, you know, human credentials," or even worse, "We're gonna give it system credentials so it can, you know, run backups or check a log file or whatever." And it's like, what did we just do? That's a, that's a pretty, uh, high problematic area, isn't it? Peter Barker: Yeah, completely. And, you know, if you think of that, that pattern of using essentially shared secrets that the agent can utilize, it, it goes to a model in identity or a legacy model in identity around what was called privileged access, where you would vault these sensitive secrets and, um, authenticated and [00:07:00] authorized people could check them out, use them, but you have to put all these controls around that. And that model is just outdated and it's, it's, it's broken. So having first class identities, having native credentials for each individual agent, so you get that audit. And then I'd say the other thing that we haven't touched on just yet is importantly, how do you manage the relationship between the human operators, the human owners, and the agents themselves so that you know that at any given time, that what's happening with an agent is being done with proper delegated authority? Bill Russell: It's interesting you say that. I mean, when I think about database, we have row-level security. Mm-hmm. On that row-level security, we'll essentially say, um, you know, we're... W- we can define it at the database level, so even if they log into a system, they can't be delegated too much authority, even if that [00:08:00] system isn't handling it correctly, because the database layer will say, "Hey, wait a minute, you know, that's escalated for what this person is." And I, I think about that in this... you know, Ping uses this phrase, I've seen this used, uh, with regard to you guys, runtime identity. Peter Barker: Yep. Bill Russell: And I, I think about that more and more, especially as I'm, I'm running into my, my Claude limits now on a daily, if not hourly basis. And,, it, it's doing an awful lot of things with, um, you know, just, just in time sort of going over to the system, getting in there, getting the information, pulling it back, getting, you know, and doing an awful lot of, those things. And, and is, is the future less about did you log in and, and more about are you allowed to do specific things, uh, with what you're trying to access right now? Peter Barker: Yeah, definitely. And, uh, going back to the example you gave around row-level security, that's really, in identity, a [00:09:00] concept we call fine-grained authorization, meaning you only have access to the portion of the data that you are authorized to interact with. And then that leads to this concept of runtime identity. And in reality, access management id- and identity has always operated at runtime. What, what customers often have done, though, is they've placed all of the safeguards at the point of login or at the point of authentication. And, you know, we've said historically in the industry that, you know, identity is the new perimeter, which is totally true. But the question is, where is the security boundary now, and where should the security boundary be? So login and authentication is where that security boundary has typ- typically lived for the last couple of decades. And what you're describing, though, is it needs to go much deeper and much later beyond login to the point of action or the point of decision. And what we're talking [00:10:00] about is taking authorization all the way down to that decision so the security boundary moves. It shifts further right, not just at authentication, but throughout that, a, a much more continuous posture. And that, that gives rise to the notion of something we call decision security, not just identity security because it's a new concept where I think in traditional human identity terms, we've been able to tr- rely on other compensating controls, but with agents, you just can't any longer. Bill Russell: How do you, how do you keep the administrative burden down? So I, I administer some databases and I do the row-level security. And the row-level security, I, I have to admit that when I'm doing context switching and moving between things and then I come back to it, I have to s- I have to sit there for a couple minutes and go, "All right. What the... Let me, let me get my arms around this first before I make any changes. Okay. Yeah, that's what, that's what we were doing." Um, and, and it gets, it gets complex pretty quick. How, how do you keep that from [00:11:00] happening? Peter Barker: Yeah. And, you know, y- I think you're describing generally, you know, in the world of identity and even more broadly in the world of cybersecurity, is the, the skill set and the context needed at any given moment to ensure you're not misconfiguring controls and also that you are setting best practices. You know, that's a challenge. And, you know, there, there is, generally speaking in cybersecurity, a, there, there's a shortage of qualified people. I think the opportunity we have, though, is to leverage AI for good in this regard, and not only- Use identity to help secure AI, but bring AI to help automate identity better. So at Ping, we talk about two concepts. We talk about identity for AI, which is our solution to leverage our products for our enterprise customers to secure and enable AI safely in their environments. But the other we talk about is [00:12:00] AI for identity, which is how do we make our products, which inherently are complex things, just as you described, how do we make it much more accessible and easy and make sure that they're following best practices? And I think there's a lot of things happening together, like you mentioned Claude Code, for example. Everyone's becoming a builder in this day and age. So how is it that we leverage these, this new disruption, these new capabilities to sort of solve some of these emerging problems that you're describing? Bill Russell: Yeah, you know what's interesting as you, as you were describing that, I love that, that, uh, using AI to make your product easier to administer because that's essentially when I go into the row-level security now, a lot of times I will have AI there and I'll say, "Hey, let's do an audit of the row-level security. I'm thinking of adding this." And it will, it will go, it will do that, that deep thought around it ahead of me doing anything and say, "Hey look, you know, here's the changes we made last time, and, uh, the changes you're making this time might expose this," or [00:13:00] whatever. And it, it helps me to make sure, uh, it, it's people keep talking about human in the loop, and I love that concept, but, uh, it's AI in the loop. It's like- Yeah ... I want, I want somebody looking over my shoulder. Peter Barker: Yeah. It's really, yeah, you're touching on some almost philosophical questions there too that I'd love to, to talk about in a minute. But, um, you know, one thing that a provider like you're, the, the database you're describing, you know, somebody provides that database, we as providers of solutions to the market at Ping, we view that part of what we now need to deliver is not just the product, but actually the skills that tools like Claude Code can leverage so that it doesn't need to go figure out how to do things and maybe rely on incorrect information, but actually just arm it and equip it to be efficient immediately. You know, the, especially when you, you mentioned running into your quota limits on tokens are, you know, regularly, how do we make the most efficient use of tokens, for example? Let's not waste time having an agent try to figure [00:14:00] out what's the best row-level security scheme for this database, or in the case of Ping Identity, what's the best, you know, practice for configuring security in the system? So that's another change that, you know, at Ping we're moving towards very quickly, is not just making our products headless, uh, as in what Salesforce just announced a couple of weeks ago, but actually shipping everything needed so that coding agents themselves just instantly are able and skilled to interact and to configure efficiently. Bill Russell: Yeah, for those who aren't familiar with the whole headless concept, it's essentially it's designing your software that it doesn't need a UI, it doesn't need a, an interface per se. It can have one, but it is designed so that agents can interact with it, that, uh, that foundation models and other models can interact with it. So it's designed for a world where systems are interacting with systems and, we see a lot of software... the discussions are talking about it, and it's definitely heading in, in that [00:15:00] direction. I want to talk about healthcare a little bit. Um, healthcare has a, a, an interesting tension, if you will. Security has to be strong, no doubt about that, but, uh, care teams can't be slowed down, uh, ever. Um, how should identity leaders balance the, the frictionless access with high assurance trust of the system? Peter Barker: in many ways, what we see customers doing, you know, whether it's healthcare or other verticals, is they are racing to automate repetitive and burdensome tasks, and then more largely starting to automate end-to-end workflows to try to gain efficiency. And in the case of healthcare, delivering the best patient care in the fastest way possible is of paramount im-importance. But what we're dealing with is some really important things like people's lives, and we're dealing with their very sensitive data, and the cost of a mistake is extraordinarily high. And so we, we see, we see the need to, to bring this together with a [00:16:00] single enterprise trust control plane that can marry these concerns together, allow people to go fast, but allow them to go fast very safely, and keep it under control. And then importantly, comply with regulations, which, you know, in healthcare, there are numerous regulations that companies have to be concerned about complying with. Bill Russell: I'm on the record as saying as, as long as we have passwords, we will always have insecure systems. And, uh, so that's one of my p- my, uh, future items is a world without passwords. Are, are we getting close to passwordless, uh, access? Peter Barker: Yeah, we, we are, but, you know, there is so much legacy out there where the systems themselves don't understand how to be without a password. But if we think about what, what is the risk that passwords bring, it's, it's the human knowledge of the password that is getting compromised. So I might be socially engineered for my password, and then I might be, even though we have [00:17:00] things like MFA, I might be prompt bombed, meaning I continually get challenged to just approve this prompt on my phone because I'm getting tired of seeing it, so that somebody may compromise me. So I would say that while it, it may be a long while before we actually get rid of all of these legacy systems, because many companies are still running mainframes to this day, um, it's the thing that we can accomplish is what I would call a truly passwordless experience. And what that does is it removes the risk of the password, which is the human knowledge of it. So if we can remove the human knowledge of the password, even though we may not fully eradicate them throughout all the systems, I think that's the big step we can really aim for. Bill Russell: No, that's absolutely right. Every time I had a, uh, uh, we, we would get a white hat, uh, person to come in and, and do penetration testing and whatnot. Every time they got in, they got in the same way. I'm like, "You guys are cheating." They're like, "We're not cheating. It's the same way everybody gets in." Yeah. They ask people for their passwords, and they give it to them. I'm like, "Oh, man." Yeah. Um, it, it felt to me like a, a [00:18:00] very difficult thing. But I, I, I want to get back to this. Um, for, for CIOs or, or CISOs, digital leaders who are listening to this, um, it, it would seem to me that, you know, one of the first places to start is to identify all your current AI agents and give them an identity. I mean, is that, is it almost like that's the starting gate? Peter Barker: Yeah, it definitely is. But, and let me just say one other thing about the passwordless thing while I, I have it on my mind, and then I'll come to your question there. You know, the other thing, if, if you think about that fact that the white hat testers just always went the same path, it just means that we're not able... We sh- we should just reach the conclusion that we'll never solve the human weakness. So then the question becomes- Could we have a security posture that even if my account is compromised, that I still don't give access? And that's, in, at Ping Identity we have another concept outside of our identity for AI that we call verified trust, which is it's re-verifying that it's actually [00:19:00] you in every interaction. Even if your password has been compromised, your account has been compromised, that the system can still ensure, like if it is a, a third party attacker, it'll know that and disallow access even if they have the credentials. So I just wanted to mention that. Now Bill Russell: to your- Well, uh, Peter, I'll come back to my question in a second because the most pivotal, uh, mindset shift for me was in 2013, and I sat across from a former NSA, uh, staffer who had just finished doing a penetration testing, and I said, "Well, what am I supposed to do?" And they said, "Assume they're already on your network." Yes. "Stop, stop. W- All the systems you're designing are incorrect. Like, they're already on your network, they already have credentials. Now design." And I was like, "They already have credentials and I'm supposed to design for that?" He goes, "Absolutely. That's where you need to start." I was like... And that was in 2013. I'm like, "Wow, that's..." But that's what you're describing, right? Peter Barker: That is the mindset, yeah. And, and so the good news is I do think there are now techniques to better [00:20:00] cope with that potential reality. Um, uh, again, Verified Trust is our initiative, our solution set that helps to design in a world, exactly as you said, where they're already on your, on your network. Bill Russell: So let, let's give the CIOs and CISOs sort of a, a, a game plan, a framework, uh, coming out of this. We, we s- uh, we started talking about just identifying all your AI agents and, and giving them an identity. Is there... Uh, I mean, if that's the starting place, what's, what's like the next two, two or three things that they should do after that? Peter Barker: Yeah. So just one elaboration on that starting point is if you think back to when AWS was just starting out and you had developers who were frustrated with IT infrastructure teams who just couldn't provide them the compute that they needed as quickly as they needed, so they started buying rent, rent a computer, if you will, in the SaaS, IaaS environments. Um, agents in many ways are gonna be the same way. And so while in that first step it is critical, as you said, [00:21:00] to, to- Catalog and to give identities to all these agents. Part of the challenge is how do you even identify what they all are out there in your environment? Because it's, it would be foolish to think that you will know where they all are, just like it's foolish to think you know where all the SaaS apps are without having tools that do the discovery. So I think the first step is to implement discovery tools, so you actually know the scope of what you're trying to get under control. That, that's step one. And as part of that discovery solution, then it ingests the agent identities and starts to apply controls to them in terms of who owns them, are they authorized, do we allow them, what permissions do we give them, those types of things. That would be step number one. Step number two that follows then is implementing runtime identity. If that first step that I described as sort of establishing a trusted agent framework, now what you need to do is implement the runtime controls so that when these trusted agents are actually [00:22:00] doing things and transacting and interacting, that those things are under proper authority and delegation and audit that we talked about, um, earlier. So implementing runtime control is really, really critical, and I'll just give you a quick example. You know, developers are out there trying to meet the, the needs of the business, and they're being asked to automate workflows. They're doing things like implementing MCP servers, Model Context Protocol servers, which is... You think of as the modern AI API layer for these foundation models to interact with. Well, these developers don't know how to secure those as an example. And so once you give agents access to MCP servers, you've already sort of started to lose the battle if you don't inject security into that interaction. And so that's an example where you can implement runtime security by putting a layer in front of MCP to start understanding, here's the agent coming in. It will do redirects to go look at, do we know this agent? Are they authenticated? Are they authorized? [00:23:00] Is the human in the loop? So that's just one example, um, of how you can implement runtime, um, run- runtime identity. Bill Russell: That's interesting. So as I'm interacting with my, um, foundation model, it, it will launch agents all the time, and some of those are MCP, some of those are, um, skills and other things. But, uh, but we're more talking about the connections. They're connecting into your data structure, they're connecting to various things. Um, and you're saying put a layer in between. Now, if it's designed correctly, they, they have that layer where you authenticate and you come back and, uh, there's, there's some sort of authentication. But you're saying, um, you can actually wrap that foundation model to make sure every call is, is looked at and appropriate. Peter Barker: Yeah, it's... There's two sides to the equation. Wrap the resources that are being accessed on one hand. The other is- Um, wrapping the agent themselves to assess things like intent and is the intent aligned with the instruction, for example. And so I... But I think at the end of the [00:24:00] day, putting, putting protections around the things being accessed is really critical. Uh, in identity, we have that pattern today where, you know, people cannot come into resources unauthenticated, just like your database that you described. But making sure that's integrated with a central identity control plane that can understand all these things, the humans, the, the operators, the agents that are acting, what permissions, and marry all of that together into a policy that can be applied to the interaction is really important. Bill Russell: So Peter, I'm gonna give you the, the last word here. So give us the one sentence takeaway. Peter Barker: We think runtime identity for agents is a critical approach to taking this to the level needed to address all the concerns we discussed today. Implementing one enterprise trust control plane that understands the humans and the agents, importantly, the relationship between those two together, is really important as well. Bill Russell: Peter, I wanna thank you for your time. I love this, uh, discussion. I think it's really [00:25:00] relevant , for our community, so thank you very much. Speaker: Thanks for joining us for this executive interview with me, bill Russell. Every healthcare leader needs a community they can lean on and learn from. Subscribe at this week, health.com/subscribe and share this conversation with your team. Together we're transforming healthcare. Thanks for listening. That's all for now.